X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=6f8b41860120b2259df03c253b7204fe5b1729c5;hb=d56ca7cb70039b036d91f93cfb33cb1fb7743e82;hp=4a1f3713c9b819b70e61efe1c62f2e986f3837c4;hpb=a1d397a274083c5e9dfb9d690593e6d65968b264;p=dsa-puppet.git diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 4a1f3713..6f8b4186 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -3,7 +3,7 @@ class ferm::per-host { include ferm::zivit } - if $::hostname in [glinka,klecker,merikanto,ravel,rietz,senfl,sibelius,stabile] { + if $::hostname in [glinka,klecker,ravel,rietz,senfl,sibelius,stabile] { ferm::rule { 'dsa-rsync': domain => '(ip ip6)', description => 'Allow rsync access', @@ -12,25 +12,6 @@ class ferm::per-host { } case $::hostname { - samosa: { - @ferm::rule { 'dsa-udd-stunnel': - description => 'port 8080 for udd stunnel', - rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))' - } - } - ullmann: { - @ferm::rule { 'dsa-postgres-udd': - description => 'Allow postgress access', - # quantz, wagner, master - rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 217.196.43.134/32 217.196.43.132/32 82.195.75.110/32 ))' - } - @ferm::rule { 'dsa-postgres-udd6': - domain => '(ip6)', - description => 'Allow postgress access', - # quantz - rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 ))' - } - } czerny,clementi: { @ferm::rule { 'dsa-upsmon': description => 'Allow upsmon access', @@ -39,29 +20,19 @@ class ferm::per-host { } bendel: { @ferm::rule { 'listmaster-ontp-in': - description => 'ONTP has a broken mail setup', - table => 'filter', - chain => 'INPUT', - rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP', + description => 'ONTP has a broken mail setup', + table => 'filter', + chain => 'INPUT', + rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP', } @ferm::rule { 'listmaster-ontp-out': - description => 'ONTP has a broken mail setup', - table => 'filter', - chain => 'OUTPUT', - rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP', + description => 'ONTP has a broken mail setup', + table => 'filter', + chain => 'OUTPUT', + rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP', } } - abel,alwyn,rietz: { - @ferm::rule { 'dsa-tftp': - description => 'Allow tftp access', - rule => '&SERVICE(udp, 69)' - } - } - paganini: { - @ferm::rule { 'dsa-dhcp': - description => 'Allow dhcp access', - rule => '&SERVICE(udp, 67)' - } + abel,alwyn,rietz,jenkins: { @ferm::rule { 'dsa-tftp': description => 'Allow tftp access', rule => '&SERVICE(udp, 69)' @@ -93,11 +64,6 @@ class ferm::per-host { } } draghi: { - #@ferm::rule { 'dsa-bind': - # domain => '(ip ip6)', - # description => 'Allow nameserver access', - # rule => '&TCP_UDP_SERVICE(53)' - #} @ferm::rule { 'dsa-finger': domain => '(ip ip6)', description => 'Allow finger access', @@ -113,29 +79,6 @@ class ferm::per-host { description => 'Allow ldaps access', rule => '&SERVICE(tcp, 636)' } - @ferm::rule { 'dsa-vpn': - description => 'Allow openvpn access', - rule => '&SERVICE(udp, 17257)' - } - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface tun+ ACCEPT; -REJECT reject-with icmp-admin-prohibited -' - } - @ferm::rule { 'dsa-vpn-mark': - table => 'mangle', - chain => 'PREROUTING', - rule => 'interface tun+ MARK set-mark 1', - } - @ferm::rule { 'dsa-vpn-nat': - table => 'nat', - chain => 'POSTROUTING', - rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', - } } cilea: { ferm::module { 'nf_conntrack_sip': } @@ -152,22 +95,6 @@ REJECT reject-with icmp-admin-prohibited rule => '&TCP_UDP_SERVICE(5080)' } } - unger: { - @ferm::rule { 'dsa-notrack-dns-diamond-in': - domain => 'ip', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'PREROUTING', - rule => 'destination 82.195.75.108 proto (tcp udp) dport 53 jump NOTRACK' - } - @ferm::rule { 'dsa-notrack-dns-diamond-out': - domain => 'ip', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'PREROUTING', - rule => 'source 82.195.75.108 proto (tcp udp) sport 53 jump NOTRACK' - } - } sonntag: { @ferm::rule { 'dsa-bugs-search': description => 'port 1978 for bugs-search from bug web frontends', @@ -227,21 +154,63 @@ REJECT reject-with icmp-admin-prohibited @ferm::rule { 'dsa-conntrackd': rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT', } + @ferm::rule { 'dsa-bind-notrack-in': + domain => 'ip', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'PREROUTING', + rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK' + } + + @ferm::rule { 'dsa-bind-notrack-out': + domain => 'ip', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'OUTPUT', + rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK' + } + + @ferm::rule { 'dsa-bind-notrack-in6': + domain => 'ip6', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'PREROUTING', + rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK' + } + + @ferm::rule { 'dsa-bind-notrack-out6': + domain => 'ip6', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'OUTPUT', + rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK' + } } default: {} } + # solr stuff + case $::hostname { + stockhausen: { + @ferm::rule { 'dsa-solr-jetty': + description => 'Allow jetty access', + rule => '&SERVICE_RANGE(tcp, 8080, ( 82.195.75.100/32 ))' + } + } + } + # postgres stuff case $::hostname { - grieg: { - @ferm::rule { 'dsa-postgres-ullmann': + ullmann: { + @ferm::rule { 'dsa-postgres-udd': description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.141/32 ))' + # quantz, moszumanska, master, couper, coccia, franck + rule => '&SERVICE_RANGE(tcp, 5452, ( 206.12.19.122/32 5.153.231.21/32 82.195.75.110/32 5.153.231.14/32 5.153.231.11/32 138.16.160.12/32 ))' } - @ferm::rule { 'dsa-postgres-ullmann6': + @ferm::rule { 'dsa-postgres-udd6': domain => '(ip6)', description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' + rule => '&SERVICE_RANGE(tcp, 5452, ( 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))' } } franck: { @@ -254,27 +223,78 @@ REJECT reject-with icmp-admin-prohibited description => 'Allow postgress access', rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))' } + + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))' + } } bmdb1: { + @ferm::rule { 'dsa-postgres-main': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.14/32 5.153.231.23/32 5.153.231.25/32 206.12.19.141/32 ))' + } + @ferm::rule { 'dsa-postgres-main6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:14/128 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' + } @ferm::rule { 'dsa-postgres-dak': description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.0/24 ))' + rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 206.12.19.122/32 206.12.19.123/32 206.12.19.134/32 5.153.231.21/32 ))' } @ferm::rule { 'dsa-postgres-dak6': domain => 'ip6', description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000::/64 ))' + rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2607:f8f0:610:4000:216:36ff:fe40:3860/128 2607:f8f0:610:4000:216:36ff:fe40:3861/128 2607:f8f0:610:4000:6564:a62:ce0c:1386/128 2001:41c8:1000:21::21:21/128 ))' + } + @ferm::rule { 'dsa-postgres-wanna-build': + # wuiet, ullmann, franck + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 206.12.19.141/32 138.16.160.12/32 ))' + } + @ferm::rule { 'dsa-postgres-wanna-build6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:610:4000:6564:a62:ce0c:138d/128 ))' + } + @ferm::rule { 'dsa-postgres-bacula': + # dinis + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))' + } + @ferm::rule { 'dsa-postgres-bacula6': + domain => 'ip6', + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))' + } + + @ferm::rule { 'dsa-postgres-backup': + # ubc, wuit + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 5.153.231.12/32 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5435 5436), ( 2001:41c8:1000:21::21:12/128 ))' } } danzi: { @ferm::rule { 'dsa-postgres-danzi': + # ubc, wuit description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 194.177.211.200/32 ))' + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 5.153.231.18/32 ))' } @ferm::rule { 'dsa-postgres-danzi6': domain => 'ip6', description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:648:2ffc:deb:214:22ff:fe74:1fa/128 ))' + rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2001:41c8:1000:21::21:18/128 ))' } @ferm::rule { 'dsa-postgres2-danzi': @@ -290,15 +310,67 @@ REJECT reject-with icmp-admin-prohibited rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 ))' } - @ferm::rule { 'dsa-postgres-bacula-danzi': - description => 'Allow postgress access1', - rule => '&SERVICE_RANGE(tcp, 5434, ( 206.12.19.139/32 ))' + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))' } - @ferm::rule { 'dsa-postgres-bacula-danzi6': + @ferm::rule { 'dsa-postgres-backup6': domain => 'ip6', - description => 'Allow postgress access1', - rule => '&SERVICE_RANGE(tcp, 5434, ( 2607:f8f0:610:4000:6564:a62:ce0c:138b/128 ))' + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))' } } + chopin: { + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( 5.153.231.12/32 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( 2001:41c8:1000:21::21:12/128 ))' + } + } + sibelius: { + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.12/32 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:12/128 ))' + } + } + default: {} + } + # vpn fu + case $::hostname { + draghi,eysler: { + @ferm::rule { 'dsa-vpn': + description => 'Allow openvpn access', + rule => '&SERVICE(udp, 17257)' + } + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface tun+ ACCEPT; +REJECT reject-with icmp-admin-prohibited +' + } + @ferm::rule { 'dsa-vpn-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface tun+ MARK set-mark 1', + } + @ferm::rule { 'dsa-vpn-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', + } + } + default: {} } }